​Gmail Docs phishing attack: Google targets devs with tighter web app ID checks

New manual reviews for web applications may to take up to seven days.
Written by Liam Tung, Contributing Writer

Apps that request user data will now need to undergo a manual review process that may take up seven days.

Image: Getty Images

Google is slowing down the process for publishing web applications to prevent a repeat of the phishing attack that abused users' trust in its sign-in system with a fake Google Docs app.

Google has warned web app developers that new rules and an additional risk assessment may add "some friction" to the process of publishing apps.

Apps that request user data will now need to undergo a manual review process that may take up seven days before users can approve permissions in Google's sign-in services.

"Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page," Google said in a blog detailing new developer identity guidelines.

"You can request a review during the testing phase to open the app to the public. We will try to process those reviews in three to seven business days. In the future, we will enable review requests during the registration phase as well."

The fake Docs phishing attack abused Google's OAuth login page where third-party apps can request access to different permissions in Gmail, such as the ability to read, send, delete and manage email.

The attacker created a bogus Google Docs app to trick recipients into giving this permission from Google's real login page, which the app then used to spread the same phishing message to the target's contacts.

Some have called on Google and others that use OAuth to link third-party applications, such as Facebook and Twitter, to do a better job of vetting application developers.

The manual review and an updated consent page aim to improve Google's ability to detect spoofed application identities.

Due to these changes, developers who are registering new applications or modifying existing ones can expect to see error messages in the Google API Console, Firebase Console, or Apps Script editor.

As ZDNet reported last week, Google had announced plans to update its policies and enforcement of OAuth applications, as well as its anti-spam systems.

In the aftermath of the attack, Google revoked access people had granted the app, and had issued updates through Safe Browsing, Gmail, and Google Cloud Platform. It said fewer than 0.1 percent of Gmail users were affected.

Read more on Google and security

Editorial standards